From 3d8bd8bbf15322c0c317e76364b53ba7ea88def5 Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Wed, 18 Jun 2025 13:32:03 +0000 Subject: [PATCH 1/6] Reset DNS_DBFIND_STALETIMEOUT in query_lookup() If ns__query_start() is called because of a chained query (e.g. after encountering a CNAME), a previously set DNS_DBFIND_STALETIMEOUT flag on the query's 'dboptions' field can cause an assertion failure if the new query's 'stalefirst' value is not true (e.g. if the target qname is an authoritative zone for the server). Reset the DNS_DBFIND_STALETIMEOUT flag in the query_lookup() function before evaluating the 'stalefirst' value, and make sure to assign a fresh value to the `stalefirst' flag instead of conditionally assigning it only if the value is 'true'. --- lib/ns/query.c | 32 ++++++++++++++------------------ 1 file changed, 14 insertions(+), 18 deletions(-) diff --git a/lib/ns/query.c b/lib/ns/query.c index e4e769d85b..4ea0859c82 100644 --- a/lib/ns/query.c +++ b/lib/ns/query.c @@ -5635,16 +5635,14 @@ ns__query_start(query_ctx_t *qctx) { } } - if (!qctx->is_zone && qctx->view->staleanswerclienttimeout == 0 && - dns_view_staleanswerenabled(qctx->view)) - { - /* - * If stale answers are enabled and - * stale-answer-client-timeout is zero, then we can promptly - * answer with a stale RRset if one is available in cache. - */ - qctx->options.stalefirst = true; - } + /* + * If stale answers are enabled and stale-answer-client-timeout is zero, + * then we can promptly answer with a stale RRset if one is available in + * cache. + */ + qctx->options.stalefirst = (!qctx->is_zone && + qctx->view->staleanswerclienttimeout == 0 && + dns_view_staleanswerenabled(qctx->view)); result = query_lookup(qctx); @@ -5773,7 +5771,9 @@ query_lookup(query_ctx_t *qctx) { rpzqname = qctx->client->query.qname; } - if (qctx->options.stalefirst) { + qctx->client->query.dboptions &= ~DNS_DBFIND_STALETIMEOUT; + + if (qctx->options.stalefirst && !qctx->is_zone) { /* * If the 'stalefirst' flag is set, it means that a stale * RRset may be returned as part of this lookup. An attempt @@ -5937,8 +5937,6 @@ query_lookup(query_ctx_t *qctx) { qctx_freedata(qctx); dns_db_attach(qctx->client->view->cachedb, &qctx->db); - qctx->client->query.dboptions &= - ~DNS_DBFIND_STALETIMEOUT; qctx->options.stalefirst = false; if (FETCH_RECTYPE_NORMAL(qctx->client) != NULL) { @@ -8570,11 +8568,9 @@ query_zone_delegation(query_ctx_t *qctx) { * setting the 'stalefirst' option, which is usually set in * the beginning in ns__query_start(). */ - if (qctx->view->staleanswerclienttimeout == 0 && - dns_view_staleanswerenabled(qctx->view)) - { - qctx->options.stalefirst = true; - } + qctx->options.stalefirst = + (qctx->view->staleanswerclienttimeout == 0 && + dns_view_staleanswerenabled(qctx->view)); result = query_lookup(qctx); From 94a463138eabe71fc46f86a85322144f4f92d5d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 3 Jul 2025 22:54:36 +0200 Subject: [PATCH 2/6] Generate changelog for BIND 9.21.10 --- doc/arm/changelog.rst | 1 + doc/changelog/changelog-9.21.10.rst | 189 ++++++++++++++++++++++++++++ 2 files changed, 190 insertions(+) create mode 100644 doc/changelog/changelog-9.21.10.rst diff --git a/doc/arm/changelog.rst b/doc/arm/changelog.rst index 8aec77d363..83783bfefa 100644 --- a/doc/arm/changelog.rst +++ b/doc/arm/changelog.rst @@ -18,6 +18,7 @@ Changelog development. Regular users should refer to :ref:`Release Notes ` for changes relevant to them. +.. include:: ../changelog/changelog-9.21.10.rst .. include:: ../changelog/changelog-9.21.9.rst .. include:: ../changelog/changelog-9.21.8.rst .. include:: ../changelog/changelog-9.21.7.rst diff --git a/doc/changelog/changelog-9.21.10.rst b/doc/changelog/changelog-9.21.10.rst new file mode 100644 index 0000000000..b21307c10e --- /dev/null +++ b/doc/changelog/changelog-9.21.10.rst @@ -0,0 +1,189 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +BIND 9.21.10 +------------ + +Security Fixes +~~~~~~~~~~~~~~ + +- [CVE-2025-40777] Fix a possible assertion failure when using the + 'stale-answer-client-timeout 0' option. ``7fafa0e48f8`` + + In specific circumstances the :iscman:`named` resolver process could + terminate unexpectedly when stale answers were enabled and the + ``stale-answer-client-timeout 0`` configuration option was used. This + has been fixed. :gl:`#5372` + +New Features +~~~~~~~~~~~~ + +- "Add code paths to fully support PRIVATEDNS and PRIVATEOID keys" + ``119f511a458`` + + Added support for PRIVATEDNS and PRIVATEOID key usage. Added + PRIVATEOID test algorithms using the assigned OIDs for RSASHA256 and + RSASHA512. + + Added code to support proposed DS digest types that encode the + PRIVATEDNS and PRIVATEOID identifiers at the start of the digest field + of the DS record. This code is disabled by default. :gl:`#3240` + :gl:`!10341` + +- Add "named-makejournal" tool. ``6ef16565b43`` + + The `named-makejournal` tool reads two zone files for the same domain, + compares them, and generates a journal file from the differences. + :gl:`#5164` :gl:`!10081` + +- Add support to set and display the CO flag. ``419ad060238`` + + Add support to display the CO (Compact denial of existence Ok flag) + when displaying messages. + + Add support to set the CO flag when making queries in dig (+coflag). + :gl:`#5319` :gl:`!10482` + +- Replace the build system with meson. ``0c7a54095f6`` + + This MR replaces the build system with meson. + + Speed: Meson is noticeably faster to setup and build than + automake/autoconf. The improvements will likely add up in CI and + development over time. + + Readability: Readability is a subjective criteria but meson is + generally regarded as easier to read compared to CMake and + automake/autoconf. + + Developer Ergonomics: Meson produces a compilation database, doesn't + require libtool wrapping of executables/debuggers and offers JSON + based build introspection. + + WrapDB and downloading dependencies is a non-issue for us since it + requires writing wrap files explicitly and has been disabled by + default via the `wrap_mode=nofallback` project option as a measure. + :gl:`!8989` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Change QP and qpcache logging from DEBUG(1) to DEBUG(3) + ``01a49e8e47a`` + + Currently qp and qpcache logs are too verbose and enabled at a level + too low compared to how often the logging is useful. + + This commit increases the logging level, while keeping it configurable + via a define. :gl:`!10604` + +- Change isc_tid to be isc_tid_t type (a signed integer type) + ``97bb7eb4df0`` + + Change the internal type used for isc_tid unit to isc_tid_t to hide + the specific integer type being used for the 'tid'. Internally, the + isc_tid unit is now using signed integer type. This allows us to have + negatively indexed arrays that works both for threads with assigned + tid and the threads with unassigned tid. Additionally, limit the + number of threads (loops) to 512 (compile time default). :gl:`!10656` + +- Parse user configuration before exclusive mode. ``b49f83a3e6c`` + + Previously, `named.conf` was parsed while the server was in exclusive + (i.e., single-threaded) mode and unable to answer queries. This could + cause an unnecessary delay in query processing when the file was + large. We now delay entry into exclusive mode until after the + configuration has been parsed, but before it is applied. :gl:`!10418` + +- Use RCU for rad name. ``32e86ed6434`` + + The RAD/agent domain is a functionality from RFC 9567 that provides a + suffix for reporting error messages. On every query context reset, we + need to check if a RAD is configured and, if so, copy it. + + Since we allow the RAD to be changed by reconfiguring the zone, this + access is currently protected by a mutex, which causes contention. + + This commit replaces the mutex with RCU to reduce contention. The + change results in a 3% performance improvement in the 1M delegation + test. :gl:`!10616` + +Bug Fixes +~~~~~~~~~ + +- Fix the default interface-interval from 60s to 60m. ``d45109732bc`` + + When the interface-interval parser was changed from uint32 parser to + duration parser, the default value stayed at plain number `60` which + now means 60 seconds instead of 60 minutes. The documentation also + incorrectly states that the value is in minutes. That has been fixed. + :gl:`#5246` :gl:`!10281` + +- Fix purge-keys bug when using views. ``29c69d26d9f`` + + Previously, when a DNSSEC key was purged by one zone view, other zone + views would return an error about missing key files. This has been + fixed. :gl:`#5315` :gl:`!10550` + +- Use IPv6 queries in delv +ns. ``a37afc3bb18`` + + `delv +ns` invokes the same code to perform name resolution as + `named`, but it neglected to set up an IPv6 dispatch object first. + Consequently, it was behaving more like `named -4`. It now sets up + dispatch objects for both address families, and performs resolver + queries to both v4 and v6 addresses, except when one of the address + families has been suppressed by using `delv -4` or `delv -6`. + :gl:`#5352` :gl:`!10563` + +- Prevent false sharing for the .inuse member of isc_mem_t. + ``38cc19d756a`` + + Change the .inuse member of memory context to have a loop-local + variable, so there's no contention even when the same memory context + is shared among multiple threads. :gl:`#5354` :gl:`!10555` + +- Add rdata type header files to dns_header_depfiles macro. + ``29eaae06e48`` + + The header file dns/rdatastruct.h was not being rebuilt when the rdata + type header files where modified. Removed proforma.c from the + list. It is a starting point for new types. :gl:`#5368` :gl:`!10574` + +- Clean up CFG_ZONE_DELEGATION. ``b1a8938d1aa`` + + `type delegation-only` has been obsolete for some time (see #3953) but + the zone type flag for it was still defined in libisccfg. It has now + been removed. :gl:`!10558` + +- Fix RTD builds and minor documentation issues. ``181ad273e8c`` + + Fix some leftover artifacts and information while transitioning BIND + to Meson. Add CI job to verify that pre-generated config grammar files + are up-to-date with code. :gl:`!10584` + +- Remove zone keyopts field. ``9e345283934`` + + The "keyopts" field of the dns_zone object was added to support + "auto-dnssec"; at that time the "options" field already had most of + its 32 bits in use by other flags, so it made sense to add a new + field. + + Since then, "options" has been widened to 64 bits, and "auto-dnssec" + has been obsoleted and removed. Most of the DNS_ZONEKEY flags are no + longer needed. The one that still seems useful (_FULLSIGN) has been + moved into DNS_ZONEOPT and the rest have been removed, along with + "keyopts" and its setter/getter functions. :gl:`!10564` + +- Various cleanups related to the isc_mem unit. ``f9528b88aea`` + + :gl:`!10671` + + From beb5214586aacc8150eafa139f87d930cf69ce7f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 3 Jul 2025 22:54:36 +0200 Subject: [PATCH 3/6] Prepare release notes for BIND 9.21.10 --- doc/arm/notes.rst | 1 + doc/notes/notes-9.21.10.rst | 80 +++++++++++++++++++++++++++++++++++++ 2 files changed, 81 insertions(+) create mode 100644 doc/notes/notes-9.21.10.rst diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 7b2b7883e3..00c8d5f8ed 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -47,6 +47,7 @@ The list of known issues affecting the latest version in the 9.21 branch can be found at https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.21 +.. include:: ../notes/notes-9.21.10.rst .. include:: ../notes/notes-9.21.9.rst .. include:: ../notes/notes-9.21.8.rst .. include:: ../notes/notes-9.21.7.rst diff --git a/doc/notes/notes-9.21.10.rst b/doc/notes/notes-9.21.10.rst new file mode 100644 index 0000000000..063dfb0bdc --- /dev/null +++ b/doc/notes/notes-9.21.10.rst @@ -0,0 +1,80 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.21.10 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- [CVE-2025-40777] Fix a possible assertion failure when using the + 'stale-answer-client-timeout 0' option. + + In specific circumstances the :iscman:`named` resolver process could + terminate unexpectedly when stale answers were enabled and the + ``stale-answer-client-timeout 0`` configuration option was used. This + has been fixed. :gl:`#5372` + +New Features +~~~~~~~~~~~~ + +- "Add code paths to fully support PRIVATEDNS and PRIVATEOID keys" + + Added support for PRIVATEDNS and PRIVATEOID key usage. Added + PRIVATEOID test algorithms using the assigned OIDs for RSASHA256 and + RSASHA512. + + Added code to support proposed DS digest types that encode the + PRIVATEDNS and PRIVATEOID identifiers at the start of the digest field + of the DS record. This code is disabled by default. :gl:`#3240` + +- Add "named-makejournal" tool. + + The `named-makejournal` tool reads two zone files for the same domain, + compares them, and generates a journal file from the differences. + :gl:`#5164` + +- Add support to set and display the CO flag. + + Add support to display the CO (Compact denial of existence Ok flag) + when displaying messages. + + Add support to set the CO flag when making queries in dig (+coflag). + :gl:`#5319` + +Bug Fixes +~~~~~~~~~ + +- Fix the default interface-interval from 60s to 60m. + + When the interface-interval parser was changed from uint32 parser to + duration parser, the default value stayed at plain number `60` which + now means 60 seconds instead of 60 minutes. The documentation also + incorrectly states that the value is in minutes. That has been fixed. + :gl:`#5246` + +- Fix purge-keys bug when using views. + + Previously, when a DNSSEC key was purged by one zone view, other zone + views would return an error about missing key files. This has been + fixed. :gl:`#5315` + +- Use IPv6 queries in delv +ns. + + `delv +ns` invokes the same code to perform name resolution as + `named`, but it neglected to set up an IPv6 dispatch object first. + Consequently, it was behaving more like `named -4`. It now sets up + dispatch objects for both address families, and performs resolver + queries to both v4 and v6 addresses, except when one of the address + families has been suppressed by using `delv -4` or `delv -6`. + :gl:`#5352` + + From 9cdaaa6511873feb205cfb6688d664491dd10d2b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 3 Jul 2025 22:54:36 +0200 Subject: [PATCH 4/6] Tweak and reword release notes --- doc/changelog/changelog-9.21.10.rst | 4 +- doc/notes/notes-9.21.10.rst | 63 ++++++++++++++--------------- 2 files changed, 32 insertions(+), 35 deletions(-) diff --git a/doc/changelog/changelog-9.21.10.rst b/doc/changelog/changelog-9.21.10.rst index b21307c10e..09df95b497 100644 --- a/doc/changelog/changelog-9.21.10.rst +++ b/doc/changelog/changelog-9.21.10.rst @@ -44,9 +44,9 @@ New Features compares them, and generates a journal file from the differences. :gl:`#5164` :gl:`!10081` -- Add support to set and display the CO flag. ``419ad060238`` +- Add support for the CO flag to dig. ``419ad060238`` - Add support to display the CO (Compact denial of existence Ok flag) + Add support to display the CO (Compact Answers OK flag) when displaying messages. Add support to set the CO flag when making queries in dig (+coflag). diff --git a/doc/notes/notes-9.21.10.rst b/doc/notes/notes-9.21.10.rst index 063dfb0bdc..d2912c8dfd 100644 --- a/doc/notes/notes-9.21.10.rst +++ b/doc/notes/notes-9.21.10.rst @@ -15,18 +15,18 @@ Notes for BIND 9.21.10 Security Fixes ~~~~~~~~~~~~~~ -- [CVE-2025-40777] Fix a possible assertion failure when using the - 'stale-answer-client-timeout 0' option. +- Fix a possible assertion failure when + :any:`stale-answer-client-timeout` is set to ``0``. In specific circumstances the :iscman:`named` resolver process could - terminate unexpectedly when stale answers were enabled and the - ``stale-answer-client-timeout 0`` configuration option was used. This - has been fixed. :gl:`#5372` + exit with an assertion failure when stale answers were enabled and the + :any:`stale-answer-client-timeout` configuration option was set to + ``0``. This has been fixed. :cve:`2025-40777` :gl:`#5372` New Features ~~~~~~~~~~~~ -- "Add code paths to fully support PRIVATEDNS and PRIVATEOID keys" +- Add code paths to fully support PRIVATEDNS and PRIVATEOID keys. Added support for PRIVATEDNS and PRIVATEOID key usage. Added PRIVATEOID test algorithms using the assigned OIDs for RSASHA256 and @@ -36,45 +36,42 @@ New Features PRIVATEDNS and PRIVATEOID identifiers at the start of the digest field of the DS record. This code is disabled by default. :gl:`#3240` -- Add "named-makejournal" tool. +- Add :iscman:`named-makejournal` tool. - The `named-makejournal` tool reads two zone files for the same domain, - compares them, and generates a journal file from the differences. - :gl:`#5164` + The :iscman:`named-makejournal` tool reads two zone files for the same + domain, compares them, and generates a journal file from the + differences. :gl:`#5164` -- Add support to set and display the CO flag. +- Add support for the CO flag to :iscman:`dig`. - Add support to display the CO (Compact denial of existence Ok flag) - when displaying messages. - - Add support to set the CO flag when making queries in dig (+coflag). - :gl:`#5319` + Add support for Compact Denial of Existence to :iscman:`dig`. This + includes showing the CO (Compact Answers OK) flag when displaying + messages and adding an option to set the CO flag when making queries + (:option:`dig +coflag`). :gl:`#5319` Bug Fixes ~~~~~~~~~ -- Fix the default interface-interval from 60s to 60m. +- Correct the default :any:`interface-interval` from 60s to 60m. - When the interface-interval parser was changed from uint32 parser to - duration parser, the default value stayed at plain number `60` which - now means 60 seconds instead of 60 minutes. The documentation also - incorrectly states that the value is in minutes. That has been fixed. - :gl:`#5246` + When the :any:`interface-interval` parser was changed from a + ``uint32`` parser to a duration parser, the default value stayed at + plain number ``60`` which now means 60 seconds instead of 60 minutes. + The documentation also incorrectly states that the value is in + minutes. That has been fixed. :gl:`#5246` -- Fix purge-keys bug when using views. +- Fix a :any:`purge-keys` bug when using multiple views of a zone. Previously, when a DNSSEC key was purged by one zone view, other zone views would return an error about missing key files. This has been fixed. :gl:`#5315` -- Use IPv6 queries in delv +ns. - - `delv +ns` invokes the same code to perform name resolution as - `named`, but it neglected to set up an IPv6 dispatch object first. - Consequently, it was behaving more like `named -4`. It now sets up - dispatch objects for both address families, and performs resolver - queries to both v4 and v6 addresses, except when one of the address - families has been suppressed by using `delv -4` or `delv -6`. - :gl:`#5352` - +- Use IPv6 queries in :option:`delv +ns`. + :option:`delv +ns` invokes the same code to perform name resolution as + :iscman:`named`, but it neglected to set up an IPv6 dispatch object + first. Consequently, it was behaving more like :option:`named -4`. It + now sets up dispatch objects for both address families, and performs + resolver queries to both IPv4 and IPv6 addresses, except when one of + the address families has been suppressed by using :option:`delv -4` or + :option:`delv -6`. :gl:`#5352` From 405938597fd6fb1a71e3fa3d362f4e1b15a69dae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Thu, 3 Jul 2025 22:54:36 +0200 Subject: [PATCH 5/6] Add release note for GL !8989 --- doc/notes/notes-9.21.10.rst | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/doc/notes/notes-9.21.10.rst b/doc/notes/notes-9.21.10.rst index d2912c8dfd..3c11adcc96 100644 --- a/doc/notes/notes-9.21.10.rst +++ b/doc/notes/notes-9.21.10.rst @@ -49,6 +49,14 @@ New Features messages and adding an option to set the CO flag when making queries (:option:`dig +coflag`). :gl:`#5319` +Feature Changes +~~~~~~~~~~~~~~~ + +- The build system was changed to `Meson`_. See :ref:`build_bind` for + revised instructions on building BIND 9 from source. :gl:`!8989` + +.. _Meson: https://mesonbuild.com/ + Bug Fixes ~~~~~~~~~ From 205da98524b51d329a5d81e991e8a9180e1dd9d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Fri, 4 Jul 2025 11:34:56 +0200 Subject: [PATCH 6/6] Update BIND version for release --- meson.build | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meson.build b/meson.build index d39fa770f8..432af24b9a 100644 --- a/meson.build +++ b/meson.build @@ -12,7 +12,7 @@ project( 'bind', ['c'], - version: '9.21.10-dev', + version: '9.21.10', meson_version: '>=0.61', license: 'MPL-2.0', default_options: [